In the event that you have a CA compromised. You can utilize the Trust Protection Platform to swap the compromised CA.
- Create a second CA template for the new CA.
- Associate that new CA template to either a certificate object or the policy object.
- Then Renew the certificates
If you associate the new CA template to the certificate object then you would need to renew each certificate. If you associate the new CA template to the policy then all certificates in that policy would be renewed.